AES Encryption Explained: How It Works and Why It Matters
Jun 23, 2026
Verify HMAC-signed webhook payloads from Stripe, GitHub, Slack, and any service that signs webhooks with a shared secret
The value of the Stripe-Signature, X-Hub-Signature-256, or similar header
Enter the payload, secret, and signature above, then click Validate Signature
Webhook signature validation is the process of verifying that an incoming webhook request genuinely came from the expected sender and hasn't been tampered with. Services like Stripe, GitHub, Slack, and many others sign their webhook payloads using HMAC (Hash-based Message Authentication Code) with a shared secret known only to the sender and the receiver.
By recomputing the HMAC signature on the received payload and comparing it to the signature included in the webhook headers, you can cryptographically verify the authenticity and integrity of the webhook — before processing it.
whsec_... for Stripe).Stripe-Signature, X-Hub-Signature-256, or similar header.Stripe
Header: Stripe-Signature
Format: t=timestamp,v1=signature,v0=legacy
Algorithm: HMAC-SHA256 with timestamp.payload as the signing string
Uses whsec_ prefix secret
GitHub
Header: x-hub-signature-256
Format: sha256=hex-signature
Algorithm: HMAC-SHA256 of the raw request body
Also supports x-hub-signature (SHA1)
Slack
Header: x-slack-signature
Format: v0=hex-signature
Algorithm: HMAC-SHA256 with v0:timestamp:body
Uses signing secret from Slack app config
Generic HMAC
Header: Custom (e.g. x-webhook-signature)
Format: Typically hex-signature or alg=hex-signature
Supports SHA1, SHA256, SHA512
Simple HMAC of the request body
Why is signature validation important?
Without validation, anyone who knows your webhook URL can send fake events to your endpoint, potentially triggering actions like order fulfillment, account changes, or data processing. Signature validation ensures the webhook genuinely came from the service you trust.
What if my signature doesn't match?
Common causes include: incorrect secret key, wrong payload (check for whitespace differences, encoding issues, or URL-encoded bodies), wrong signature format (check for prefix), or using the wrong timestamp with services like Stripe that include timestamps in the signature.
Are my secrets safe using this tool?
Yes. All signature computation happens entirely in your browser using the Web Crypto API. No data is sent to any server. Your secret, payload, and signatures remain private.
What is the difference between SHA1, SHA256, and SHA512?
They are cryptographic hash functions of different strength. SHA256 is recommended for most use cases. SHA1 is considered weak but still used by some legacy services. SHA512 provides a larger hash for higher security requirements.
This tool helps you validate and verify webhook signatures to ensure the authenticity and integrity of incoming webhook payloads.
Enter your webhook payload, the signature, and your secret key. The tool verifies the signature using the configured algorithm.
No. All processing is performed locally in your browser. Your data never leaves your device.
The tool supports common webhook signature algorithms used by popular services like GitHub, Stripe, and Slack.
Yes. This tool is completely free with no usage limits or registration required.
Blog
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026